Tweetdeck validating problem

The two types of installers can co-exists on the same machine (unique upgrade codes).

Well for one reason or another it was decided that this should no longer be the case and for manageability we would combine the two sets of flavors into one upgrade code so only one product can be installed on a machine at a time. Months later the Marketing dept caught wind of this and wanted the old behavior back to allow for both the flavors to co-exist on the machine at a time. Now that the 2 flavors of our software share the same upgrade code, they are identical as far as MSI is concerned and there is no way to delineate between the two in order to perform major upgrades.

Here’s how I’m targeting specific Product Codes of our past release (25 individual products) and manually uninstalling the first one found using /x during the UI Sequence.

I say, if you need to update, at least give me the option to have it silently done in the background.

The fix, so to speak, is fairly simple, the reality is going to be less so I imagine:- incorporate and require the oauth_verifier parameter- increase entropy in the request tokens- validate the signature on the requests The downside is that I imagine it will break virtually every client utilizing the api.

o_O There are some more tests I need to run to make sure I don't have a bug in my code (or far more likely somewhere in the Big Int library I am using) anywhere in terms of the phase state analysis, and I will post back tomorrow after I've had a chance to do that.

This is a security bug and needs to be escalated appropriately.

My code to generate the request is as follows, take particular note of the lines: oa Str = QUrl::to Percent Encoding("&") QUrl::to Percent Encoding("SCREW_YOU=TWITTER_Y_U_NO_CHECK_THE_SIGNATURE"); m_dmap["oauth_signature"] = hmac_sha1(m_dmap["oauth_consumer_secret"]Ascii(), oa Ascii()); As noted, this request, despite having both invalid parameters per AND and invalid signature due to the spurious string I elected to include, is perfectly Okay per the API.

Leave a Reply